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Abstract 

When a computer monitors a physical process, the computer uses sensors to determine the 
values of the physical variables that represent the state of the process. A sensor can sometimes 
fail, however, and in the worst case report a value completely unrelated to the true physical value. 

The work described in this paper is motivated by a methodology for transforming a process 
control program that cannot tolerate sensor failure into one that can. In this methodology, 
a reliable abstract sensor is created by combining information from several real sensors that 
measure the same physical value. To be useful, an abstract sensor must deliver reasonably * 

accurate information at reasonable computational cost. '' 

In this paper, we consider sensors that deliver multidimensional values (e.g., location or ' 
velocity in 3 dimensions, or both temperature and pressure). Geometric techniques are used 
to derive upper bounds on abstract sensor accuracy and to develop efficient algorithms for . 
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One of the oldest techniques in fault-tolerance is using replication to mask failures [Sho68] . For 
example, tmr, the triple module redundancy scheme, masks the failure of a signal by feeding three 


mdependently computed copies of the signal into a majority voter [vN56]. TMR can be easily 
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extended to nmr, or n-module redundancy , whereby n independent copies are fed into a majority 
voter. With nmr, up to / = signal failures can be masked. 

As stated here, NMR assumes a very weak failure model, making it a highly applicable technique. 
One doesn’t, for example, need to know the nature of the faults, the frequency of faults, or the 
distribution of faulty signal values in order to design a system that uses NMR. The only time such 
properties are considered is when appropriate values of / and n are computed. This same weak 
failure model h;-s been applied to several problems in distributed systems; for example, consen- 
sus [NT88] and reliable broadcast [CAS86], and has also been incorporated into a methodology for 
building fault- tolerant distributed programs [Sch90,Lam84]. 

One of us (Marzullo) has been working on the problem of writing provably correct programs 
that monitor and control physical processes. The state of a physical process is usually represented 
by a set of values for a corresponding set of continuous physical variables, such as the temperature 
or pressure of a reaction vessel. Physical values are usually measured by accessing sensors, such 
as thermometers or pressure gauges. A sensor, however, has a limited accuracy which, "ives some 
uncertainty in the value of the physical variable it senses, and the real-time nature of physical 
processes combined with uncertain execution .times can increase the uncertainty in the measured 
value of the physical variable. If this uncertainty is too large or if the underlying sensor is faulty, 
then the measurement will be useless to a control program. 

One can model the value of a sensor as as a random variable and then convolve the values 
of different sensors that measure the same physical variable. Doing so will improve the accuracy 
of the measured value, but it will also introduce a failure model that is expressed in terms of a 
(possibly unknown) probability distribution. Instead, in [Mar90] we have represented the value of 
a physical variable as a contiguous interval and applied the same weak failure model of assuming 
no more than / out of n sensors are incorrect. We have derived tight bounds on the accuracy 
of the resulting measured physical values and have presented efficient algorithms (O(nlogn)) for 
masking the faults of such sensors. The bounds for this problem are derived by considering interval 
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graphs [G0I8O]. 

One limitation of the work in [Mar90] is that it is applicable only to sensors that measure a 
single, independent, real value. An example of a sensor that does not fit this model is one that 
measures the location of some physical object in 3D space. If such multidimensional sensors are 
used then a naive approach to masking failures is to consider the x component separately from 
failures of the y and z components, but doing so limits the accuracy of the resulting value. For 
example, any sensor found to be faulty by examining the x components should most likely be 
discarded when considering the y and z components. This paper extends [Mar90] by considering 
such multidimensional sensors. 

We assume that real sensors have the following properties. Let be a sensor of some physical 
variable v. A measurement s,- is a continuous set of values that conform to some shape, such as a 
continuous interval, a rectangle, a sphere, etc. We say that s,- is correct if it is not too inaccurate 
and always includes the value of the actual physical variable. More precisely, for some upper bound 
acc on the accuracy of s;, 

s,- correct *= f v 6 s, 1 A |s,j < acc 

Thus, a real sensor can fail in two ways: it can fail to contain the true value or it can report 
a region so large as to be useless. For the purposes of this paper, we assume such large-region 
sensors can be detected and discarded by preprocessing the real sensor data (n and / will have to 
be adjusted). Thus for the remainder of this paper, we can assume without loss of generality that 
all sensors are accurate (report regions of reasonable size) and that a sensor can be incorrect only 
by failing to contain its corresponding true value. 

Let Si and Sj (t ^ j) be the measurements by two abstract sensors for the same physical value 
v. If Si and sj both contain the correct value, then the intervals «,■ and Sj must intersect, and their 
intersection must contain the (unknown) value v. 

Consider a set 5 = {si, S2, . . . , s n } of n independent measurements of the same physical value. If 
/ or less measurements do not contain the correct value, then any set of n-f mutually intersecting 
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measurements may contain the correct value within their intersection, since they each share a 
common value. Conversely, any point not contained in at least n - / measurements cannot be 
the correct value; if it were, then there would be more than / faulty sensors. So, the cover of all 
(n — /) -cliques must contain the correct value. (An (n - f)-clique corresponds to a value where at 
least (n - /) sensor mesurements intersect.) 

We have one further constraint: any program written to deal with a single measurement assumes 
that the sensor delivers a region of some expected shape (e.g., rectangle, sphere, cube, etc.), so we 
require the cover to also have this same shape. This constraint allows us to improve a program 
based on a single (unreliable) real sensor by changing only the sensor; the real sensor is replaced by 
several real sensors whose inputs are combined to produce a single abstract sensor. The program 
can use the resulting abstract sensor just as it originally used the single real sensor. 

To summarize, we have the following goals for our abstract sensor: 

1. It should be guaranteed (assuming no more than / failures) to deliver a region containing the 
true physical value. 

v 

2. It should deliver a shape that is within the same class as the shapes delivered by the individual 
real sensors. 

3. It should be accurate. In other words, assuming no more than / failures, it should deliver 
a region that is not significantly larger than a region that might be delivered by a single, 
correct real sensor. 

4. It should be efficient to compute. An abstract sensor is useless unless it can be computed in 
a reasonable amount of time. 

It is useful to define T/,„(5), the smallest region the satisfies goals 1 and 2. In other words, 
is the smallest figure of the correct shape that covers all (n - /)-cliques in 5. For instance, 
if the individual sensors report intervals in one dimension then I/, n (5) is the smallest interval that 
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contains all the (n — /)-cliques. It is clear that the (unknown) true value v is a member of 2/ in (S) 
as long as no more than / measurements are faulty. 

Figure 1 illustrates 1 f, n (S) for measurements that are rectangles. The left-hand figure shows 
four measurements, and the right-hand figure shows the rectangle that covers all 3-cliques of the 
measurements - 



(a) 


(b) 


Figure 1: (5) for Rectangular Measurements. 

Although I f, n (S) always contains the correct value and is defined for all / : 0 < / < n, it may 
be difficult to compute or its size |2/ in (S)| may be too large to be of use to any control program. 

In the following sections, we derive upper bounds on |I/ t „(5)| as a function of /, n, and the 
sizes of Si 6 5. We use this information to develop algorithms for abstract sensors. The results 
derived in [Mar90] for ID intervals are summarized in Section 2. In Section 3 we derive upper 
bounds and algorithms for measurements that are d-dimensional rectangles, and in Section 4 we 
discuss abstract sensors for measurements that are d-dimensional circles. Note that the results on 
circles actually hold for any class of convex shapes in which the shapes are geometrically similar 
and share the same orientation. 
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2 Linear Sensors 


In [Mar90], Marzullo shows that for linear sensors - sensors that report ID intervals - 2 f, n (S) can 
be found efficiently and that for / < J/ )n (5) has reasonable size. The upper bounds on |I/ )n (S)| 

are stated in the following two theorems. 

First, we need some notation. Define the functions min,- and max,- to be the i th smallest and 
largest values of a set of n values respectively. Note that min,- is the same as max n _,+i . For 
example, if S = {13, 14, 15} then min3(5) = maxi(S) = 15. 

Theorem 1 Let S be a set consisting of n intervals. I/O < f < % then |I/, n (S)| < min 2 / + i{|^| : 
s6 5}. 

Thus, when f < j, the resulting abstract sensor is as accurate as one of the original sensors. 
I/, n (S) can also be computed efficiently: O(nlogn) time, by sorting the endpoints of the n intervals, 
then moving through the endpoints in order, keeping track of the depth at each instant. 

The second theorem states that there is no upper bound on the size when / > f . 

Theorem 2 Given a set {l\i(- 2 i ...,fn} of n lengths and j < / < n, then for any length A > 
max{li there exists a set ofn intervals S = {si,s 2 , where Vi : 1 < i < n : |?,-| = £,- 

and |27,r»(S)| = A. 

2.1 Multidimensional Sensors and Projection 

The ID results on intervals can be used directly to give results for multidimensional sensors. For 
a d-dimensional sensor, we project the region for sensor s,- onto each of the d orthogonal axes. We 
now have d separate ID problems. These problems can be solved individually and then recombined 
to produce a d-rectangle. 

There are several possible disadvantages to this approach: 

1. Information may be lost. For example, the knowledge that a sensor’s a: -coordinate cannot 
possibly be correct should be used to toss out the entire sensor. 


6 


2. A d-rectangle is not necessarily the desired shape. For example, our abstract sensor may be 
required to report a circle. 

3. The size of the resulting sensor may be larger than necessary (see Figure 2). 



Figure 2: Intersection vs. Intersection of Projections (n = 3, / = 1) 

In fact, projection techniques are the method-of-choice in some situations (see Section 3), but 
these situations depen'd on the shapes involved and the relationship between / and n. 

3 d — Rectangles 

If 3j is constrained to be a d-dimensional rectangle, then another upper bound can be placed on 
the size of T/ in (5). 

Theorem 3 Let S be a set consisting ofn d-dimensional rectangles. I/O </<ft«.en|r /in (S)|< 
miil2^+i{|3| S). 

The proof of this theorem is based on a counting argument that shows T/,„(5) is contained in 
at least n - 2 df of the original rectangles. 
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The bound on / given in the theorem is tight. Figure 1 shows a 2D example where f = jg and 
1 f,n(S) is larger (in area) than any of the original rectangles. Similar examples can be built for any 
dimension d. 

This theorem shows that increased accuracy comes with a price: if it is desired that |J/ |n (5)| 
be at least as accurate as some measurement in S, then the amount of replication needed increases 
quickly (linearly) with d. For example, in order to tolerate a single failure for measurements that 
are 3 D rectangles, a sensor must be replicated at least 7 times. 

3.1 Algorithms for Rectangles 

For 2D problems (and for ID problems), efficient algorithms exist to compute Z/, n (5) directly. 
Consider rectangles in two dimensions. The smallest rectangle containing all of the ( n - /)-cliques 
can be found in O(nlogn) time by using a sweep-line combined with Bentley’s segment tree (see, 
for instance, [PS85]). Note that, although the entire boundary of the (n — /)-cliques can be of 
complexity n 2 , we need only determine the left, right, top, and bottom boundaries. This can be 
done efficiently by keeping depth information within the segment tree. 

Unfortunately, this technique does not generalize well to higher dimensions. For instance, 3D 
rectangles (rectangular parallelopipeds) require a sweep-plane with dynamic insertion and deletion 
of 2D rectangles. 

There is however, an efficient algorithm that reports a d-rectangle for any d that is almost as 
good as the minimal d-rect angle that we desire. This uses the projection technique, converting a d- 
dimensional problem into d 1-dimensional problems. The results of these separate ID problems are 
combined to produce the projection rectangle, a d- rectangle that is guaranteed to be of reasonable 
size. The algorithm is based on the following theorem. 

Theorem 4 Let S be a set consisting of n d-dimensional rectangles. If 0 < / < 53 then the size 
of the projection rectangle is < min 2 d/+i{| 3 | : s 6 S}. 
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Note that the projection rectangle can be computed in 0(dn logn) time and has exactly the 
same size bound as I/ in (S). Thus, if our goal is create an abstract sensor that is at least as accurate 
as some measurement in S, the projection rectangle is as good as J/, n (5). 

The full paper will include examples showing that neither Z/, n (S ) nor the projection rectangle 
is necessarily larger than the other. 

4 d-Circles 

If Si is constrained to be a d-dimensional circle (sphere in 3D) then the following upper bound can 
be placed on the size of I/, n (5): 

Theorem 5 Lets be a set consisting of nd-circles. IfO < f < then |I/ in (5)| < min(j + 1 )y + i {|j| 
s€S). 

The proof of this theorem will appear in the full paper. Note that this bound grows more slowly 
with d then does the bound of Theorem 3. For example, in order to tolerate a single failure for 
measurements that are spheres, a sensor must be replicated at least 4 times. 

Algorithms for d-circles are not as efficient as algorithms for d-rectangles. Even in 2D, it 
appears that to find the (n — /)-cliques, it is necessary to build the entire arrangement of n circles. 
Since n circles can have fi(n 2 ) intersections, building the arrangement must take time 0(n 2 ). 
(The incremental algorithm for building an arrangement of circles takes worst-case time 0(nA 4 (n)) 
where A 4 is an almost-linear function related to Davenport-Schinzel sequences [EGPRSS]; using 
randomization, the arrangement can be built in expected time 0(m + nlogn) where m is the 
number of intersections [Mul89].) Of course, we can replace each d-circle by a d-square that 
contains it and use the rectangle techniques, but this may produce an answer less accurate than 
desired. 
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5 Discussion 

We have shown how several real sensors (that measure the same multidimensional physical data) can 
be combined to produce a reliable abstract sensor. This process can be done efficiently, reporting a 
region guaranteed to be of reasonable size, for (/-rectangles provided / < yy where n is the number 
of real sensors and / is the number of real sensors that are faulty. For d-circles, an abstract sensor 
region of reasonable size exists provided / < yyy, but determining this region is considerably less 
efficient. As mentioned in the Introduction, the results on size bounds for circles actually hold 
for any class of convex shapes in which the shapes are geometrically similar and share the same 
orientation. 

Improved results are possible if sensors are known to report d-rectangles that are all the r me 
size and orientation. la this case, the projection technique can be used to create an abstract sensor 
which reports a d-rect angle of the standard size in O(dnlogn) time provided / < 7 . Note that for 
this case, the required relation between / and n is independent of d. The reported rectangle may 
not correspond to any of the original rectangles, but it will be bounded by the correct size. 

In contrast, for identically sized circles, the smallest circle covering all of the ( n — /)-cliques 
may be larger than the initial circles even when / < 7 . Of course, the bound in Theorem 5 still 
applies; |Z/ t „(5)| is bounded by the size of the initial circles when / < y^y. 

In this shortened version of our work, we have room for only a brief mention of fast approxima- 
tion techniques. A grid of equal-sized buckets can be used to detect (n - /) - cliques, leading to a 
linear-time abstract-sensor algorithm at the cost of some accuracy. This technique works for both 
d-rect angles and d-circles, but is more accurate for rectangles. 
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